Resolves #67, ads a page to enforce a registration token; and a page to create the registration URL

Author: pembo13

dbdb/core/forms.py

@@ -158,6 +158,24 @@ class CreateUserForm(forms.ModelForm):
         widget=InvisibleReCaptchaWidget
     )
 
+    def __init__(self, *args, **kwargs):
+        super(CreateUserForm, self).__init__(*args, **kwargs)
+
+        self.initial_email = None
+
+        initial = getattr(self, 'initial', None)
+        if initial and 'email' in initial and initial['email']:
+            self.initial_email = initial['email']
+            self.fields['email'].widget.attrs['readonly'] = True
+            pass
+
+        return
+
+    def clean_email(self):
+        if self.initial_email:
+            return self.initial_email
+        return self.cleaned_data['email']
+
     def clean_password2(self):
         if self.cleaned_data['password2'] == self.cleaned_data['password']:
             return self.cleaned_data['password2']

dbdb/core/urls.py

@@ -27,8 +27,9 @@
     url(r'^stats[/]?$', views.StatsView.as_view(), name='stats'),
     url(r'^stats(?:/(?P<stats_type>[\w]+))$', views.StatsView.as_view(), name='stats_detailed'),
 
-    url(r'^user/create$', views.CreateUser.as_view(), name='create_user'),
-    url(r'^user/create/$', RedirectView.as_view(pattern_name='create_user')),
+    path('user/create', views.CreateUserView.as_view(), name='create_user'),
+    path('user/create/', RedirectView.as_view(pattern_name='create_user')),
+    path('user/setup', views.SetupUserView.as_view(), name='setup_user'),
 
     path('counter', views.CounterView.as_view(), name='counter'),
     path('sitemap.xml', views.SitemapView.as_view(), name='sitemap'),

dbdb/core/views.py

@@ -1,17 +1,18 @@
 # stdlib imports
 from functools import reduce
+from pprint import pprint
 import collections
 import datetime
-import operator
 import json
+import operator
 import time
 import urllib.parse
-from pprint import pprint
 # django imports
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import UserPassesTestMixin
 from django.db import transaction
 from django.db.models import Q, Count, Max, Min
 from django.forms import HiddenInput
@@ -55,6 +56,10 @@
 from dbdb.core.models import SystemVisit
 from dbdb.core.models import SystemRecommendation
 
+
+UserModel = get_user_model()
+
+
 # constants
 
 FILTERGROUP_VISIBLE_LENGTH = 3
@@ -132,6 +137,15 @@ def get_removal_url(self):
     pass
 
 
+# helper functions
+
+def staff_check(user):
+    return user.is_staff
+
+def super_user_check(user):
+    return user.is_superuser
+
+
 # class based views
 
 # ==============================================
@@ -753,8 +767,8 @@ def post(self, request):
         try:
             payload = jwt.decode(
                 token.encode('utf-8'),
-                 settings.SECRET_KEY,
-                 algorithms=['HS256']
+                settings.SECRET_KEY,
+                algorithms=['HS256']
             )
 
             iss = payload.get('iss')
@@ -796,42 +810,112 @@ def post(self, request):
     pass
 
 # ==============================================
-# CreateUser
+# CreateUserView
 # ==============================================
-class CreateUser(View):
+class CreateUserView(View):
+
+    TOKEN_QUERY_NAME = 'token'
 
     template_name = 'registration/create_user.html'
 
+    def decode_token(self, request):
+        token = request.GET.get(CreateUserView.TOKEN_QUERY_NAME)
+
+        if not token:
+            return None
+
+        try:
+            payload = jwt.decode(
+                token.encode('utf-8'),
+                settings.SECRET_KEY,
+                algorithms=['HS256'],
+                verify=True
+            )
+            pass
+        except jwt.exceptions.ExpiredSignatureError:
+            payload = False
+        except:
+            payload = None
+
+        return payload
+
     def get(self, request, *args, **kwargs):
-        context = {
-            'form': CreateUserForm(auto_id='%s'),
+        expired_token = False
+        initial = { }
+
+        reg_info = self.decode_token(request)
+        if reg_info == False:
+            expired_token = True
+            pass
+        elif reg_info and 'sub' in reg_info:
+            initial['email'] = reg_info['sub']
+
+        form = CreateUserForm(auto_id='%s', initial=initial)
+
+        return render(request, self.template_name, {
+            'title': 'User Registration',
+
+            'expired_token': expired_token,
+            'form': form,
             'recaptcha_key': getattr(settings, 'NORECAPTCHA_SITE_KEY'),
-        }
-        return render(request, context=context, template_name=self.template_name)
+        })
 
     def post(self, request, *args, **kwargs):
-        form = CreateUserForm(request.POST, auto_id='%s')
-        User = get_user_model()
+        expired_token = False
+        initial = { }
+
+        # check for a registration info
+        reg_info = self.decode_token(request)
+        # if the registration expired `False` then return to login page
+        if reg_info == False:
+            return redirect(settings.LOGIN_URL + '?status=failed')
+            pass
+        # if the registration included a subject, use as email address
+        elif reg_info and 'sub' in reg_info:
+            initial['email'] = reg_info['sub']
+            pass
+
+        # create form class (it handles enforcing initial email)
+        form = CreateUserForm(request.POST, auto_id='%s', initial=initial)
 
         if form.is_valid():
-            User.objects.create_user(
-                username=form.cleaned_data['username'],
-                email=form.cleaned_data['email'],
-                password=form.cleaned_data['password']
-            )
-            return redirect('/login/?status=success')
+            with transaction.atomic():
+                # create user with provided info
+                user = UserModel.objects.create_user(
+                    username=form.cleaned_data['username'],
+                    email=form.cleaned_data['email'],
+                    password=form.cleaned_data['password']
+                )
+
+                # associate the user with various systems if specified in registration info
+                if reg_info and 'systems' in reg_info:
+                    system_ids = list( map(int, reg_info['systems']) )
+
+                    # NOTE: if registration contained no longer valid system IDs, this will error out
+                    SystemACL.objects.bulk_create([
+                        SystemACL(
+                            system_id=system_id,
+                            user_id=user.id
+                        )
+                        for system_id in system_ids
+                    ])
+                    pass
+                pass
 
-        return render(request, context={
+            # end successfully with a redirect to login page
+            return redirect(settings.LOGIN_URL + '?status=success')
+
+        return render(request, self.template_name, {
             'form': form,
             'recaptcha_key': getattr(settings, 'NORECAPTCHA_SITE_KEY'),
-        }, template_name=self.template_name)
+        })
 
     pass
 
 # ==============================================
 # DatabasesEditView
 # ==============================================
-class DatabasesEditView(View, LoginRequiredMixin):
+class DatabasesEditView(LoginRequiredMixin, View):
 
     template_name = 'core/databases-edit.html'
 
@@ -1218,6 +1302,59 @@ def get(self, request):
 
     pass
 
+# ==============================================
+# SetupUserView
+# ==============================================
+class SetupUserView(UserPassesTestMixin, View):
+
+    TOKEN_QUERY_NAME = 'token'
+
+    template_name = 'registration/setup_user.html'
+
+    def build_token(self, email, systems):
+        payload = {
+            'exp': datetime.datetime.utcnow() + datetime.timedelta(days=7),
+            'iss': 'setup_user',
+            'sub': email,
+            'nbf': datetime.datetime.utcnow(),
+            'systems': list( map(int, systems) ),
+        }
+
+        s = jwt.encode(payload, settings.SECRET_KEY, algorithm='HS256')
+        s = s.decode('utf-8')
+
+        return s
+
+    def get(self, request, *args, **kwargs):
+        if request.GET.get('action') == 'url' and request.GET.get('email') and request.GET.getlist('systems'):
+            email = request.GET.get('email').lower().strip()
+            systems = request.GET.getlist('systems')
+
+            response = None
+
+            if UserModel.objects.filter(email=email).exists():
+                response = { 'error':'Email already exists' }
+                pass
+            else:
+                url = reverse('create_user') + '?' + urllib.parse.urlencode({ SetupUserView.TOKEN_QUERY_NAME:self.build_token(email, systems) })
+                url = request.build_absolute_uri(url)
+
+                response = { 'url':url }
+                pass
+
+            return JsonResponse(response)
+
+        return render(request, self.template_name, {
+            'title': 'User Registration Setup',
+
+            'systems': System.objects.all(),
+        })
+
+    def test_func(self):
+        return super_user_check(self.request.user)
+
+    pass
+
 # ==============================================
 # StatsView
 # ==============================================
@@ -1408,18 +1545,14 @@ def get(self, request, slug):
         system_version = system.current()
         system_features = SystemFeature.objects.filter(system=system_version).select_related('feature').order_by('feature__label')
 
-        # If they are logged in, check whether they are allowed to edit
-        user_can_edit = False
-        if request.user.is_authenticated:
-            if request.user.is_superuser:
-                user_can_edit = True
-            else:
-                try:
-                    SystemACL.objects.get(system=system, user=request.user)
-                    user_can_edit = True
-                except SystemACL.DoesNotExist:
-                    pass
-        ## IF
+        # if they are logged in, check whether they are allowed to edit
+        if not request.user.is_authenticated:
+            user_can_edit = False
+        elif request.user.is_superuser:
+            user_can_edit = True
+        else:
+            user_can_edit = SystemACL.objects.filter(system=system, user=request.user).exists()
+            pass
 
         # Compatible Systems
         compatible = [

templates/registration/create_user.html

@@ -21,6 +21,12 @@
                 <form method="POST" id="registration">
                     <h1>User Registration</h1>
 
+                    {% if expired_token %}
+                    <div class="alert alert-danger mb-0" role="alert">
+                        <p><strong>The registration link provided to you has expired.</strong></p>
+                        <p>Please request a new one.</p>
+                    </div>
+                    {% else %}
                     {% csrf_token %}
                     {% bootstrap_form form %}
                     {% buttons %}
@@ -34,6 +40,7 @@ <h1>User Registration</h1>
                             Cancel
                         </a>
                     {% endbuttons %}
+                    {% endif %}
                 </form>
             </div>
         </div>